Seclored: The Data Security News Blog

Your Guide to US Data Privacy Laws: Exploring State-Level Regulations

Category: Data Privacy

Where is the United States regarding its Data Privacy Laws? The answer lies within several state-level acts.

In 2019, the United States data privacy framework changed significantly with the emergence of the California Consumer Privacy Act (CCPA). More states have been passing data privacy laws because no national law covers data privacy at the federal level. This has been happening since then.

As of now, 16 states have passed comprehensive data privacy laws, some of which include a cure period for companies to prepare before the law comes into effect:

California Virginia Colorado Connecticut
Utah Washington Nevada Florida
Texas Oregon Tennessee Montana
Delaware Iowa New Jersey Indiana

Of the states listed above, California, Virginia, Colorado, Connecticut, and Utah’s laws are currently in effect, with laws in the remaining states going into effect on or before January 1, 2026.

These state-level data privacy laws govern the implementation of cybersecurity controls, transparency of privacy practices, collection of personal data (to the extent necessary), and special rules for data processors. For the most part, businesses that service residents of these states must review their data protection programs to ensure they comply with relevant state regulations. The most significant challenge data controllers are likely to face when complying with these regulations is identifying personal and sensitive data because the definitions of these terms are relatively broad and, in some cases, exceptionally so.

The requirement for a Data Privacy Impact Assessment (DPIA) or similar review is relatively common among state data privacy laws. Given that a distinct assessment is required for each system or application processing personal data, this also involves an elevated risk that controllers should begin planning for as soon as possible.

To round out the list of high-priority tasks, controllers need to review the agreements with their data processors; every one of the new state laws, some in overly prescriptive terms, mandates such a review.

Seclore helps organizations protect data from leaking with encryption and targeted access controls for unstructured data, such as files and email. Check out our white paper that explores how the 16 state-level privacy regulations in the United States affect your company.

While these state-level data privacy laws are intended to be comprehensive in scope, they also contain carve-outs for data already protected under other laws, such as GLBA and HIPAA. The sixteen state-level statutes vary with respect to their applicability based on businesses that meet certain revenue thresholds and on the number of residents, consumers, households, or devices with data in the relevant jurisdiction. Each statute is different, and we recommend consulting with a qualified professional regarding its applicability to your business, requirements, liabilities, penalties, and means of enforcement.

By providing a basic understanding of these new state-level data privacy laws and where they originate from, we hope to give organizations a foundation to analyze and understand their requirements under these new laws.

Data privacy laws are evolving rapidly; make sure you stay informed, as they are here to stay!

Tom Dunlap is the Founder and Managing Partner of DIACSUS LLC, an international advisory and consulting firm for the financial services industry, specializing in the data ecosystem spaces of governance, management, innovation, integration, transformation, digitization, & visualization, as well as operational risk & regulatory intelligence. Tom serves on the advisory boards for DeepSee.ai and PredictIntel.
Tom has over 33 years of financial services industry experience across a range of data management & operations leadership roles. Prior to DIACSUS LLC, for 4 years he was Group Chief Data Officer, head of enterprise data governance, and head of data operations of the London Stock Exchange Group (LSEG). He was a senior consultant and advisor to Raymond James Financial and fintech company Lingotek. Tom spent 18 years with Goldman Sachs in a variety of senior operations and data leadership roles, including Managing Director of operations and global head of the firm’s enterprise data strategy and reference data operations. In addition, he held the role of Vice President for Citibank’s Worldwide Securities Services Division.
Tom was a two-term member of the Financial Research Advisory Committee of the US Treasury Department’s Office of Financial Research, on the Board of Directors of the Enterprise Data Management Council, and he is the current CDO Ambassador for the State of South Carolina.

Since 2015, Lisa has served as the Director of Legal Business Development at Seclore Technology. In this role, she focuses on product recognition and sales in the legal market, engaging with law firm professionals to discuss data security best practices and analytics workflows. Previously, during her 23-year tenure at Goodwin Procter LLP and Foley Hoag LLP, Lisa excelled as a Senior Litigation Paralegal, leading international and domestic eDiscovery teams and bridging the gap between legal and litigation support. Recognized for her contributions, she became President of the Board for the New England Litigation Technology Professionals in June 2016. Lisa holds degrees from Boston College and Syracuse University.

Related Posts